Monday, July 15, 2013

Firefox Add-ons for penetration testers

In
this brief post, we are listing a few popular and interesting Firefox
add-ons that are useful for penetration testers. These add-ons vary
from information gathering tools to attacking tools. If you are
using BACKTRACK than use OWASP Mantra which has lots of useful
Add-ons.

(1)FirebugFirebug
is a nice add-on that integrates a web development tool inside the
browser. With this tool, you can edit and debug HTML, CSS and
JavaScript live in any webpage to see the effect of changes. It helps
in analyzing JS files to find XSS vulnerabilities. It’s an really
helpful add-on in finding DOM based XSS for security testing
professionals.Add Firebug
in your Browser from this link:
https://addons.mozilla.org/en-US/firefox/addon/firebug/

(2)Web
DeveloperWeb
Developer is another nice add-on that adds various web development
tools in the browser. It helps in web application penetration
testing.Add Web
Developer
in your browser from this link:
https://addons.mozilla.org/de/firefox/addon/web-developer/(3)Live
HTTP HeadersLive
HTTP Headers is a really helpful penetration testing add-on for
Firefox. It displays live headers of each http request and response.
You can also save header information by clicking on the button in the
lower left corner. I don’t think that there is any kind of need to
tell how important this add-on is for the security testing
process.Add Live
HTTP Headers
to Firefox with this link:
https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/

(4)Tamper
DataTamper
Data is similar to the Live HTTP Header add-on but, has header
editing capabilities. With the tamper data add-on, you can view and
modify HTTP/HTTPS headers and post parameters. Thus it helps in
security testing web application by modifying POST parameters. It can
be used in performing XSS and SQL Injection attacks by modifying
header data.Add the Tamper
data
add-on to Firefox browser with this link:
https://addons.mozilla.org/en-US/firefox/addon/tamper-data/)

(5)HackbarHackbar
is a simple penetration tool for Firefox. It helps in testing simple
SQL injection and XSS holes. You cannot execute standard exploits but
you can easily use it to test whether vulnerability exists or not.
You can also manually submit form data with GET or POST requests. It
also has encryption and encoding tools. Most of the times, this tool
helps in testing XSS vulnerability with encoded XSS payloads. It also
supports keyboard shortcuts to perform various tasks.I am sure, most
of the persons in the security field already know about this tool.
This tool is mostly used in finding POST XSS vulnerabilities because
it can send POST data manually to any page you like. With the ability
of manually sending POST form data, you can easily bypass client side
validations of the page. If your payload is being encoded at client
side, you can use an encoding tool to encode your payload and then
perform the attack. If the application is vulnerable to the XSS, I am
sure you will find the vulnerability with the help of the Hackbar
add-on on Firefox browser.Add Hackbar
add-on to Firefox browser with this link:
https://addons.mozilla.org/en-US/firefox/addon/hackbar/

(6)WebsecurifyWebsecurify
is a nice penetration testing tool that is also available as add-on
for Firefox. We have already covered WebSecurify in detail in
previous article. WebSecurify can detect most common vulnerabilities
in web applications. This tool can easily detect XSS, SQL injection
and other web application vulnerability. Unlike other listed tools,
it is a complete penetration testing tool in itself available as a
browser add-on. It gives most of the features available in standalone
tool.Add WebSecurify
to Firefox browser with this link:
https://addons.mozilla.org/en-us/firefox/addon/websecurify/(7)XSS
MeCross
Site Scripting is the most found web application vulnerability. For
detecting XSS vulnerabilities in web applications, this add-on can be
a useful tool. XSS-Me is used to find reflected XSS vulnerabilities
from a browser. It scans all forms of the page, and then performs an
attack on the selected pages with pre-defined XSS payloads. After the
scan is complete, it lists all the pages that renders a payload on
the page, and may be vulnerable to XSS attack. Now, you can manually
test the web page to find whether the vulnerability exists or not.Add
XSS Meto
your Firefox browser:
https://addons.mozilla.org/en-us/firefox/addon/xss-me/

(8)SQL Inject
MeSQL
Inject Me is another nice Firefox add-on used to find SQL injection
vulnerabilities in web applications. This tool does not exploit the
vulnerability but display that it exists. SQL injection is one of the
most harmful web application vulnerabilities, it can allow attackers
to view, modify, edit, add or delete records in a database.The tool
sends escape strings through form fields, and tries to search
database error messages. If it finds a database error message, it
marks the page as vulnerable. QA testers can use this tool for SQL
injection testing.Add SQL Inject Meadd-on
to your browser:
https://addons.mozilla.org/en-us/firefox/addon/sql-inject-me/

(9)CryptoFoxCryptoFox
is an encryption or decryption tool for Mozilla Firefox. It supports
most of the available encryption algorithm. So, you can easily
encrypt or decrypt data with supported encryption algorithm. This
add-on comes with dictionary attack support, to crack MD5 cracking
passwords. Although, it hasn’t have good reviews, it works
satisfactorily.Add CryptoFox add-on
to your browser:
https://addons.mozilla.org/en-US/firefox/addon/cryptofox/

Social Engineering Tool kit is cool tool which came with BACKTRACK, this increase power of metasploit. If you are on any linux system other...

ABout me

I am Nirav Desai. I am author of this blog. Now I am doing Electronics & Communication Engineering. But i am interested in field of I.T. & Networking.I am also interested in web-application testing, penetration testing,blogging, Search Engine Optimization (S.E.O).